[sclug] sclug Digest, Vol 94, Issue 4
Neil Haughton
haughtonomous at googlemail.com
Thu Jul 7 12:02:54 UTC 2011
Thanks for the details. Food for thought.....
Neil.
On 7 July 2011 13:00, <sclug-request at sclug.org.uk> wrote:
> Send sclug mailing list submissions to
> sclug at sclug.org.uk
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://sclug.org.uk/mailman/listinfo/sclug
> or, via email, send a message with subject or body 'help' to
> sclug-request at sclug.org.uk
>
> You can reach the person managing the list at
> sclug-owner at sclug.org.uk
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sclug digest..."
>
> Today's Topics:
>
> 1. Re: Personalised web content filtering (Jeremy Hooks)
>
>
> ---------- Forwarded message ----------
> From: Jeremy Hooks <jeremyhooks at googlemail.com>
> To: haughtonomous at googlemail.com
> Date: Wed, 6 Jul 2011 15:25:01 +0100
> Subject: Re: [sclug] Personalised web content filtering
> Hi
>
> I'm new to this mailing list, although I've been subscribed for a couple of
> years and occasionally lurking. I thought I would chime in with my
> tuppence.
>
> With regard to IPCop, I have some experience (albeit rusty). It is
> worth looking
> into the addons available for it. It's been a while, but I seem to recall
> that there is one add on, "Block Out-going Traffic" (IIRC) which might be
> useful in addition to (say) whitelisting allowed sites. With just web
> filter-
> ing, obviously everything else is left open. Block out-going traffic will
> let
> you block everything else (probably using IPTables). I seem to recall that
> you are right about IPCop not being able to do user based access control.
> However, it may be able to control access based on IP address - and if you
> use BOOTP that will also be machine address too (there is a DHCP server in
> IPCop, though it may be an addon). Another option might be to setup VLANs
> (if
> your network allows) and force untrusted users' PCs to go via IPCop and
> allow
> full access for the others.
>
> Another option (though expensive) might be to give the employees two
> machines.
> One with full access and another with access only to the sourcecode and the
> secured internal network. I imagine this would also require two
> separate networks (or virtual networks).
>
> One of the legitimate uses you mentioned was MSDN access, presumably so
> that
> they will be to download resources to install on the development machine.
> You
> could run (say) an FTP server which bridges the secure and insecure
> networks to
> allow developers to download files to the insecure machine, upload to the
> FTP
> server, then download to their development machine (perhaps after the file
> has
> been authorised). Admittedly it is rather convoluted, but it is one option
> which you may not have considered.
>
> Obviously you can never be 100% secure and as you mentioned, this is
> largely
> an HR issue (in that you shouldn't be employing people you don't trust).
> That
> said, you wouldn't give everyone full access to the personnel or finance
> data,
> nor the companies bank account and it is only sensible that when you give
> access, you do all you can to prevent abuse.
>
> Regards.
>
>
> _______________________________________________
> sclug mailing list
> sclug at sclug.org.uk
> http://sclug.org.uk/mailman/listinfo/sclug
>
More information about the Sclug
mailing list